Launch the stack
This automated AWS CloudFormation template deploys Workload Discovery on AWS in the AWS Cloud. You must gather deployment parameter details before launching the stack. For details, refer to Prerequisites.
Time to deploy: Approximately 30 minutes
-
Sign in to the AWS Management Console
and select the button to launch the workload-discovery-on-aws.template
AWS CloudFormation template. -
The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.
Note
This solution uses services that are not available in all AWS Regions. Refer to Supported AWS Regions for a list of supported AWS Regions.
-
On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box, and choose Next.
-
On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and AWS STS quotas in the AWS Identity and Access Management User Guide.
-
Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.
Parameter Default Description AdminUserEmailAddress
<Requires input>
An email address to create the first user. The temporary credentials will be sent to this email address.
AlreadyHaveConfigSetup
No
Confirmation of whether or not you already have AWS Config set up in the deployment account. For details, refer to Prerequisites.
AthenaWorkgroup
primary
The workgroup that will be used to issue the Athena query when the Cost feature is enabled.
ApiAllowListedRanges
0.0.0.0/1,128.0.0.0/1
Comma separated list of CIDRs to manage access to the AppSync GraphQL API. To allow the entire internet, use 0.0.0.0/1,128.0.0.0/1. If restricting access to specific CIDRs, you must also include the IP addresses (and a subnet mask of /32) of the NAT gateways that allow the discovery process ECS task running in its private subnet to access the internet. NOTE: This allow list does not govern access to the WebUI, only the GraphQL API.
CreateNeptuneReplica
No
Choose whether to create a read replica for Neptune in a separate Availability Zone. Choosing
Yes
improves resilience but increases the cost of this solution.CreateOpenSearchServiceRole
Yes
Confirmation of whether or not you already have a service-linked role for Amazon OpenSearch Service. For details, refer to Prerequisites.
NeptuneInstanceClass
db.r5.large
The instance type used to host the Amazon Neptune database. What you select here affects the cost of running this solution.
OpensearchInstanceType
m6g.large.search
The instance type used for your OpenSearch Service data nodes. Your selection affects the cost of running the solution.
OpensearchMultiAz
No
Choose whether to create an OpenSearch Service cluster that spans multiple Availability Zones. Choosing
Yes
improves resilience but increases the cost of this solution.CrossAccountDiscovery
SELF_MANAGED
Choose whether Workload Discovery on AWS or AWS Organizations manages the importing of accounts. The value can be
SELF_MANAGED
orAWS_ORGANIZATIONS
.OrganizationUnitId
<Optional input>
The root organization unit ID. This parameter is only used when CrossAccountDiscovery is set to
AWS_ORGANIZATIONS
.AccountType
DELEGATED_ADMIN
The type of AWS Organizations account to install Workload Discovery on AWS in. This parameter is only used when CrossAccountDiscovery is set to
AWS_ORGANIZATIONS
. For details, refer to Choosing the deployment account.ConfigAggregatorName
<Optional input>
The AWS Organization-wide Config aggregator to use. You must install the solution in the same account and Region as this aggregator. If you leave this parameter blank, a new aggregator will be created. This parameter is only used when CrossAccountDiscovery is set to
AWS;_ORGANIZATIONS
.CpuUnits
1 vCPU
The number of CPUs to allocate for the Fargate task that the discovery process runs in.
Memory
2048
The amount of memory to allocate for the Fargate task that the discovery process runs in.
DiscoveryTaskFrequency
15mins
The time interval between every run of the discovery process ECS task.
MinNCUs
1
Minimum Neptune Capacity Units (NCUs) to be set on the Neptune cluster (must be less than or equal to MaxNCUs). Required if DBInstance type is
db.serverless
.MaxNCUs
128
Maximum NCUs to be set on the Neptune cluster (must be greater than or equal to MinNCUs). Required if DBInstance type is
db.serverless
.VpcId
<Optional input>
The ID of an existing VPC for the solution to use. If you leave this parameter blank, a new VPC will be provisioned.
VpcCidrBlock
<Optional input>
The VPC CIDR block of the VPC referenced by the VpcId parameter. This parameter is only used if the VpcId parameter is set.
PrivateSubnet0
<Optional input>
The private subnet you wish to use. This parameter is only used if the VpcId parameter is set.
PrivateSubnet1
<Optional input>
The private subnet you wish to use. This parameter is only used if the VpcId parameter is set.
UsesCustomIdentity
No
Confirmation of whether on not you will be using a custom identity provider, such as SAML or OIDC.
CognitoCustomDomain
<Optional input>
The domain prefix for the Amazon Cognito custom domain that hosts the sign-up and sign-in pages for your application. Leave empty if you are not using a custom IdP, otherwise must include only lowercase letters, numbers, and hyphens.
CognitoAttributeMapping
<Optional input>
The mapping of IdP attributes to standard and custom Cognito user pool attributes. Leave empty if you are not using a custom IdP, otherwise must be a valid JSON string.
IdentityType
<Optional input>
The type of Identity Provider to use (
Google
,SAML
, orOIDC
). Leave empty if you are not using a custom IdP.ProviderName
<Optional input>
Name for the Identity Provider. Leave empty if you are not using a custom IdP.
GoogleClientId
<Optional input>
The Google Client ID to use. Parameter only used when IdentityType is set to
Google
.GoogleClientSecret
<Optional input>
The Google client secret to use. Parameter only used when IdentityType is set to
Google
.SAMLMetadataURL
<Optional input>
The metadata URL for the SAML Identity Provider. Parameter only used when IdentityType is set to SAML.
OIDCClientId
<Optional input>
The OIDC client ID to use. Parameter only used when IdentityType is set to
OIDC
.OIDCClientSecret
<Optional input>
The OIDC client secret to use. Parameter only used when IdentityType is set to
OIDC
.OIDCIssuerURL
<Optional input>
The OIDC issuer URL to use. Parameter only used when IdentityType is set to
OIDC
.OIDCAttributeRequestMethod
GET
The OIDC attribute request method to use. Must be either
GET
orPOST
(refer to OIDC provider or use default value). Parameter only used when IdentityType is set toOIDC
. -
Choose Next.
-
On the Configure stack options page, choose Next.
-
On the Review and create page, review and confirm the settings. Select the boxes acknowledging that the template creates IAM resources and require certain capabilities.
-
Choose Submit to deploy the stack.
You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a CREATE_COMPLETE status in approximately 30 minutes.
Note
If deleted, this stack removes all resources. If the stack is updated, it retains the Amazon Cognito user pool to ensure that configured users aren’t lost.